b'                                  UNCLASSIFIED\n\n\n\n\n           Critical Infrastructure Protection:\n           The Department Can Enhance Its\n             International Leadership and\n                 Its Own Cyber Security\n\n\n\n                Report Number 01-IT-R-044, June 2001\n\n\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001   43\n\n\n                                  UNCLASSIFIED\n\x0c                       UNCLASSIFIED\n\n\n\nTable of Cont ents\n         Contents\n\n\n                 EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .               1\n                 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   1\n                 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    1\n                 Results in Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .    2\n                 Principal Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .      3\n                 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .           5\n                 Department Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .               6\n                 PURPOSE AND SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n                 BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n                 FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .      13\n                 Foreign Affairs Lead Agency . . . . . . . . . . . . . . . . . . . . . . . . . . . .                 13\n                 Critical Infrastructure Protection Plan . . . . . . . . . . . . . . . . . . . .                     22\n                 LIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . .                         35\n                 ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39\n                 APPENDICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40\n\n\n\n\n40     OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                       UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\nEx ecutiv\nExecutiv\n   ecutivee Summary\n            Summary\nPurpose                        The Office of Inspector General (OIG) assessed the Department\n                               of State\xe2\x80\x99s (Department\xe2\x80\x99s) progress in carrying out its Presidential\n                               Decision Directive (PDD)1 63 responsibilities for cyber critical in-\n                               frastructure protection (CIP) during fiscal years 1998-2000.\n                                   Our objectives were to assess the Department\xe2\x80\x99s:\n                                   \xe2\x80\xa2 Foreign Affairs Lead Agency activities under PDD-63;\n                                   \xe2\x80\xa2 Critical Infrastructure Protection Plan (CIPP) development\n                                     and implementation;\n                                   \xe2\x80\xa2 minimum-essential cyber infrastructure vulnerability and risk\n                                     assessments; and\n                                   \xe2\x80\xa2 risk mitigation, emergency management, interagency security,\n                                     resource requirements, and awareness and training policies\n                                     and practices.\n                                   We identified additional steps the Department can take to ad-\n                               dress its PDD-63 Foreign Affairs Lead Agency and minimum-es-\n                               sential cyber infrastructure2 responsibilities.\n                                  We conducted the review in conjunction with a President\xe2\x80\x99s\n                               Council on Integrity and Efficiency assessment of PDD-63 imple-\n                               mentation at several Federal departments and agencies.\n\n\n\nBackground                     President Clinton issued PDD-63 to establish a national effort to\n                               ensure the security of the critical infrastructure of the United\n                               States.3 Under PDD-63, the Department is responsible for protect-\n                               ing those of its facilities, people, and systems that it deems essential\n                               to national critical infrastructure, and for being the Foreign Affairs\n                               Lead Agency.\n\n\n\n                                   1\n                                     Presidential Decision Directives were renamed National Security Presiden-\n                               tial Directives after we finished our review.\n                                   2\n                                     Minimum-essential cyber infrastructure supports core mission processes,\n                               which support national security and government continuity.\n                                   3\n                                      Critical infrastructure consists of physical and cyber systems and assets that\n                               are so vital to the United States that their incapacity would debilitate national\n                               security, national economic security, or national public health and safety.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                        1\n\n\n                                  UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                                   The Under Secretary for Management designated the Assis-\n                             tant Secretary of International Narcotics and Law Enforcement\n                             Affairs (INL) to be the Foreign Affairs Functional Coordinator.\n                             The Coordinator subsequently chaired the Subgroup on Interna-\n                             tional Cooperation of the National Security Council (NSC) Critical\n                             Infrastructure Coordination Group.4 The Subgroup is a forum for\n                             U.S. Government agencies to use in assessing and responding to\n                             international CIP issues.\n                                  Internally, the Under Secretary for Management established\n                             three organizations to address PDD-63 \xe2\x80\x93 the Virtual Governance\n                             Board, the Vulnerability Assessment Working Group,5 and the Secu-\n                             rity Infrastructure Working Group. These organizations coordinate\n                             and implement the CIPP, the Integrated Systems Security Manage-\n                             ment Plan, and the Comprehensive Risk Management Plan, respec-\n                             tively.\n\n\n\nResults in Brief             PDD-63 directs the Department as Foreign Affairs Lead Agency to\n                             implement an international outreach strategy to safeguard U.S. and\n                             global critical infrastructures upon which the U.S. depends. The\n                             Department\xe2\x80\x99s Foreign Affairs Functional Coordinator started by\n                             issuing an international outreach plan in August 2000. The plan\n                             focuses on addressing international law enforcement issues involv-\n                             ing a few countries. Although this focus on catching cyber terror-\n                             ists and criminals is a commendable beginning, the approach does\n                             not address the PDD-63 principles of encouraging friendly and\n                             like-minded nations, international organizations, and multinational\n                             corporations to focus on global preventative measures.\n                                During February and April 1999 the Department issued its\n                             CIPP and started its vulnerability assessment process, respectively.\n                             The CIPP contains 11 objectives, which address PDD-63 require-\n\n\n\n                                 4\n                                   President Bush reconstituted the Critical Infrastructure Coordination Group\n                             and three other groups into the NSC Policy Coordination Committee on Counter-\n                             Terrorism and National Preparedness after we completed our review.\n                                 5\n                                    The Department established the Vulnerability Assessment Working Group\n                             in February 1999, with responsibilities for identifying minimum-essential processes,\n                             core processes, and critical resources. The Chairperson for the Vulnerability As-\n                             sessment Working Group is a representative of the Bureau of Diplomatic Secu-\n                             rity.\n\n\n2                  OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                                  UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               ments for minimum-essential infrastructure, vulnerability assess-\n                               ments, risk analysis and remediation, warning systems, response ca-\n                               pabilities, reconstitution plans, and education and awareness pro-\n                               grams. Although the Department has established a workable frame-\n                               work for protecting its minimum-essential infrastructure, its CIPP\n                               and vulnerability assessment process fall short of what PDD-63\n                               requires.\n\n\n\nPrincipal Findings             Foreign Affairs Lead Agency\n\n                               Strengthening International Critical Infrastructure\n                               Protection\n\n                               The Subgroup on International Cooperation of the NSC Critical\n                               Infrastructure Coordination Group has embraced a limited strategy\n                               focusing on the extent to which the United States depends on the\n                               infrastructure, economy, or government of other countries. PDD-\n                               63 states that the United States will promote international coopera-\n                               tion to help manage the worldwide CIP problem through joint re-\n                               sponsibility among like-minded and friendly nations, international\n                               organizations, and multinational corporations. It further states the\n                               Federal Government must focus on preventative measures, and\n                               threat and crisis management, to provide maximum feasible security\n                               for at risk infrastructures.\n                                   Although worldwide cooperation is often difficult, the United\n                               States could provide broader CIP leadership because of its greater\n                               experience and expertise in addressing cyber security issues. Such\n                               an effort could include encouraging the Department\xe2\x80\x99s missions,\n                               other Federal agencies, international trade and business groups, and\n                               multilateral international organizations to seek ways to strengthen\n                               the CIP of other countries through preventative measures.\n\n                               Law Enforcement Assistance\n\n                               The countries we visited are strengthening their cyber criminal laws,\n                               investigation and prosecution organizations, and international ties\n                               for conducting investigations. However, law enforcement officials\n                               face two major problems in conducting international investigations.\n                               First, criminal laws and procedures vary among countries. Second,\n                               obtaining support from foreign law enforcement agencies is often\n                               difficult and time consuming. The Department, as the Foreign Af-\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                       3\n\n\n                                  UNCLASSIFIED\n\x0c                  UNCLASSIFIED\n\n\n              fairs Lead Agency, could enhance the positive efforts of other\n              countries to fight cyber crime by assisting friendly and like-minded\n              foreign law enforcement organizations obtain additional cyber train-\n              ing and technical assistance, and by helping establish improved in-\n              ternational communication channels for processing requests for\n              assistance and access to evidence.\n\n              Critical Infrastructure Protection Plan\n\n              Department\xe2\x80\x99s Foreign Operations\n\n              The Department\xe2\x80\x99s CIPP and vulnerability assessments did not ad-\n              dress the Department\xe2\x80\x99s minimum-essential infrastructure overseas,\n              nor the role and responsibilities of its Chiefs of Mission in protect-\n              ing that infrastructure. Foreign operations are essential to U.S.\n              Government foreign policy and relations, national defense, and U.S.\n              interests abroad.\n\n              Periodically Assessing Security Controls\n\n              PDD-63 requires periodic review of the reliability, vulnerability, and\n              threat environment of minimum-essential cyber infrastructure to\n              ensure organizations are addressing changing technology and\n              threats with appropriate protective measures and responses. Office\n              of Management and Budget (OMB) Circular No. A-130, Appendix\n              III requires all Federal agencies evaluate the security controls of all\n              their automated information systems at least once every 3 years.\n              Because the Department\xe2\x80\x99s CIPP and related policies do not address\n              this requirement, it has not developed a schedule for testing mini-\n              mum essential cyber infrastructure for security controls vulnerabili-\n              ties.\n\n              Critical Interagency Systems Vulnerabilities\n\n              The National Plan for Information Systems Protection, promul-\n              gated by President Clinton last year, has a focus on shared cyber\n              security interdependencies and vulnerabilities among agencies. The\n              Department\xe2\x80\x99s vulnerability assessment did not address the cyber\n              security interdependencies and vulnerabilities it shares with other\n              organizations.\n\n\n\n\n4   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                  UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               Security awareness and training policies, practices,\n                               and procedures\n                               The Department had not complied with Computer Security Act of\n                               1987 and related Federal policies that mandate annual security\n                               awareness, training and education for employees in accepted secu-\n                               rity practices relevant to their individual roles and responsibilities.\n                               Implementing well-organized approaches to ensuring all employees\n                               receive required security awareness, training and education when\n                               required will strengthen the Department\xe2\x80\x99s security readiness.\n\n\n\nRecommendations                Foreign Affairs Lead Agency\n                               We recommend the Foreign Affairs Functional Coordinator, with\n                               assistance from the Department\xe2\x80\x99s International Information Pro-\n                               grams Coordinator, take the following steps:\n                                     \xe2\x80\xa2 encourage multilateral cooperation, contingency planning,\n                                       and open exchange of public information with a wide\n                                       range of friendly and like-minded countries, international\n                                       organizations, and multinational corporations;\n                                     \xe2\x80\xa2 provide bureaus and posts with public information to\n                                       assist friendly and like-minded foreign governments in\n                                       strengthening their CIP; and\n                                     \xe2\x80\xa2 emphasize encouraging and coordinating the efforts of\n                                       other U.S. Government lead agencies in informing and\n                                       assisting a wide range of friendly and like-minded\n                                       countries to better defend themselves against cyber\n                                       attacks.\n\n                               Critical Infrastructure Protection Plan\n\n                               We recommend that:\n                                     \xe2\x80\xa2 The Chief Information Officer and the Assistant\n                                       Secretary for Diplomatic Security address the\n                                       Department\xe2\x80\x99s foreign operations in subsequent critical\n                                       infrastructure protection plans and vulnerability\n                                       assessments. In doing so, other agencies with overseas\n                                       presence should be included in developing the overseas\n                                       portion of the plans, and conducting and assessing the\n                                       overseas portion of the vulnerability assessments as\n                                       appropriate.\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                          5\n\n\n                                  UNCLASSIFIED\n\x0c                           UNCLASSIFIED\n\n\n                           \xe2\x80\xa2 The Assistant Secretary for Diplomatic Security schedule and\n                             conduct security controls evaluations of all minimum-\n                             essential cyber infrastructures at least once every 3 years as\n                             required by OMB Circular No. A-130, Appendix III for all\n                             automated information systems.\n                           \xe2\x80\xa2 The Assistant Secretary for Diplomatic Security amend 12\n                             Foreign Affairs Manual (FAM) 600 and the Bureau of\n                             Information Resource Management (IRM) amend the critical\n                             infrastructure protection plan to require security control\n                             evaluations of minimum-essential cyber infrastructure at least\n                             once every 3 years.\n                           \xe2\x80\xa2 The Chief Information Officer and the Assistant Secretary\n                             for Diplomatic Security ensure that subsequent critical\n                             infrastructure protection plans and vulnerability assessments\n                             address minimum-essential interagency infrastructure\n                             vulnerabilities.\n\n                       Employee Security Awareness, Training and\n                       Education\n\n                       We make 10 recommendations, principally to the Assistant Secre-\n                       tary for Diplomatic Security, to conform the Department\xe2\x80\x99s em-\n                       ployee security awareness, training and education policies, practices,\n                       and procedures, as stated in 12 FAM 600, with all relevant require-\n                       ments of the Computer Security Act of 1987 and related U.S. Gov-\n                       ernment policies.\n\n\n\nDepartment             We provided the relevant Bureaus with a draft of this report for\nComments               their review and comments. Generally, the Bureaus agreed with our\n                       report\xe2\x80\x99s findings and recommendations. However, in response to\n                       the Bureau of International Narcotics and Law Enforcement Af-\n                       fairs concerns that the report did not properly characterize the\n                       Department\xe2\x80\x99s international outreach strategy, we added information\n                       to support the need for a broader strategy addressing global critical\n                       infrastructure protection. The comments of the bureaus are ad-\n                       dressed in the Findings Section of the report, and included in their\n                       entirety in Appendix E through H.\n\n\n\n\n6            OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                           UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\nPur pose and Scope\nPurpose\n\n                               We conducted this review to assess the Department\xe2\x80\x99s progress in\n                               meeting its PDD-63 responsibilities, as they relate to minimum-es-\n                               sential cyber infrastructure.6 We assessed the Department\xe2\x80\x99s:\n                                   \xe2\x80\xa2 Foreign Affairs Lead Agency activities under PDD-63,\n                                   \xe2\x80\xa2 Critical Infrastructure Protection Plan development and\n                                     implementation;\n                                   \xe2\x80\xa2 minimum-essential cyber infrastructure vulnerability and risk\n                                     assessments; and\n                                   \xe2\x80\xa2 risk mitigation, emergency management, interagency security,\n                                     resource requirements, and awareness and training policies\n                                     and practices.\n                                  We conducted the review in conjunction with an assessment of\n                               PDD-63 implementation by the President\xe2\x80\x99s Council on Integrity\n                               and Efficiency at several departments and agencies.\n                                    We did not test the Department\xe2\x80\x99s information security controls\n                               during this evaluation, but instead relied on the results of earlier\n                               reviews (see Appendix B). Because the vulnerability remediation\n                               process was incomplete at the end of our review, we could not as-\n                               sess whether it was used to establish and fund the most critical pri-\n                               orities.\n                                   We interviewed officials in the Department\xe2\x80\x99s Office of the Un-\n                               der Secretary for Management, Bureau of Diplomatic Security\n                               (DS), IRM, INL, Bureau of Intelligence and Research, International\n                               Information Programs, geographic bureaus, Foreign Service Insti-\n                               tute, and Diplomatic Telecommunications Service regarding their\n                               involvement with the preparation and execution of the\n                               Department\xe2\x80\x99s CIPP. We also interviewed officials at the National\n                               Critical Infrastructure Assurance Office, Department of Defense,\n                               Central Intelligence Agency, and Director of Central Intelligence\n                               Center for Security Evaluation regarding relevant aspects of the\n                               CIPP and the Department\xe2\x80\x99s role as the Foreign Affairs Lead\n                               Agency under PDD-63.\n\n\n\n                                   6\n                                      The Department conducted vulnerability assessments of only those assets\n                               whose loss would limit the Department\xe2\x80\x99s capability to perform minimum-essential\n                               processes and that are an essential part of our nation\xe2\x80\x99s \xe2\x80\x9cminimum-essential\xe2\x80\x9d infra-\n                               structure.\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                     7\n\n\n                                  UNCLASSIFIED\n\x0c                  UNCLASSIFIED\n\n\n                  During May and June 2000, we performed work at the U.S. Em-\n              bassies in Tokyo and London, and the American Institute in Tai-\n              wan, where we met with U.S. Government, host government, and\n              private sector officials. We selected those locations because the\n              governments and private entities in those countries were addressing\n              cyber threats to their critical infrastructure, and were in a position\n              to assess what role the U.S. Government might play in addressing\n              international cyber security issues.\n                  We followed generally accepted government auditing standards\n              and conducted such tests and procedures, as we considered neces-\n              sary for the assignment. Staff from our Information Technology\n              Issue Area performed this evaluation from March 2000 through\n              February 2001. Frank Deffer, Acting Assistant Inspector General;\n              Robert C. Taylor, Audit Manager; John Shiffer and Anthony\n              Carbone, Senior Auditors contributed to the report. Mr. Deffer, at\n              defferf@state.gov and 703.284.2715, or Mr. Taylor at\n              taylorr2@state.gov and 703.284.2685, will respond to comments or\n              questions about the report.\n\n\n\n\n8   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                  UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\nBackground\nBack\n\n                               In October 1997, the President\xe2\x80\x99s Commission on Critical Infrastruc-\n                               ture Protection reported7 that the information revolution and the\n                               introduction of computers into virtually every dimension of our\n                               society had changed our economy, national security, and everyday\n                               lives. In particular, many of our most sophisticated global national\n                               security systems rely on commercial power, communications, and\n                               transportation, which are also computer-controlled.\n                                    The Commission found that all computer-driven systems are\n                               vulnerable to intrusion and destruction. A concerted attack on the\n                               computers of any one of our essential economic sectors or govern-\n                               mental agencies could have catastrophic effects. The Commission\n                               also found that the threat was real. Where once our enemies mostly\n                               relied on bombs and bullets, they can now use computers to inflict\n                               enormous damage. The Commission concluded that to preserve\n                               our security and economic well being, we must protect our critical\n                               computer-controlled systems from attack, and assist friendly and\n                               like-minded countries protect their critical cyber infrastructure.\n                                   After reviewing the Commission\xe2\x80\x99s report, President Clinton is-\n                               sued Presidential Decision Directive 63 in May 1998 to establish a\n                               national effort to ensure critical infrastructure security, also known\n                               as minimum-essential infrastructure, for the United States and other\n                               friendly countries.8 On April 5, 2001, the Director of the National\n                               Critical Infrastructure Assurance Office testified before The House\n                               Commerce Committee, Subcommittee on Oversight and Investiga-\n                               tions, that President Bush has indicated critical infrastructure pro-\n                               tection will be a priority of his administration.\n\n\n\n                                   7\n                                     Critical Foundations: Protecting America\xe2\x80\x99s Infrastructures, The Report of\n                               the President\xe2\x80\x99s Commission on Critical Infrastructure Protection, Washington,\n                               DC, October 13, 1997.\n                                   8\n                                       The PDD-63 White Paper defines critical infrastructure as the \xe2\x80\x9c . . . physi-\n                               cal and cyber-based systems essential to the minimum operations of the economy\n                               and government.\xe2\x80\x9d The Critical Infrastructure Assurance Office defined agency\n                               minimum-essential infrastructure as the organizations, personnel, systems, and\n                               facilities required to accomplish an agency\xe2\x80\x99s core mission as its mission relates to\n                               national security, national economic security, or continuity of government services.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                      9\n\n\n                                  UNCLASSIFIED\n\x0c                    UNCLASSIFIED\n\n\n                    PDD-63 requires Federal agencies to assess the cyber vulner-\n               abilities of the Nation\xe2\x80\x99s critical infrastructures \xe2\x80\x94 information and\n               communications, energy, banking and finance, transportation, water\n               supply, emergency services, and public health \xe2\x80\x94 and the authorities\n               responsible for the continuity of federal, state, and local govern-\n               ments. The directive places special emphasis on protecting the\n               government\xe2\x80\x99s own critical assets from cyber attack and the need to\n               remedy deficiencies in order to become a model of information\n               security. The directive also calls for the Federal Government to pro-\n               duce a detailed plan to protect and defend America against cyber\n               disruptions. PDD-63 acknowledges that CIP encompasses a wide\n               range of information infrastructure security, strategy, and policy\n               issues that we share with other countries on a regional and global\n               basis. The United States is to take all necessary measures to elimi-\n               nate significant CIP vulnerabilities within its borders, especially\n               those involving cyber attacks, by May 22, 2003.\n                    PDD-63 requires the Department to protect those of its facili-\n               ties, people, and systems essential to U.S. critical infrastructure, and\n               to be the U.S. Government Foreign Affairs Lead Agency.9 Further,\n               the Omnibus Diplomatic Security and Antiterrorism Act of 1986\n               requires the Secretary of State to develop and implement security-\n               related policies and programs for U.S. Government diplomatic op-\n               erations. The Department\xe2\x80\x99s security policies and programs are sup-\n               posed to ensure the security of all U.S. Government personnel on\n               official business overseas and all facilities overseas for which the\n               Secretary of State is responsible.\n\n               Foreign Affairs Lead Agency\n\n               PDD-63 asserts that because the U.S. Government shares responsi-\n               bility with the governments of other countries for global CIP, Fed-\n               eral agencies shall encourage international cooperation in managing\n               the global CIP problem. The Undersecretary for Management se-\n               lected the Assistant Secretary of INL to be Foreign Affairs Func-\n\n\n\n\n                   9\n                      The lead agencies are supposed to encourage and support their private and\n               public sector counterparts to develop awareness, vulnerability assessment, and infor-\n               mation sharing initiatives. They include telecommunications, banking and finance,\n               energy, transportation, and essential government services.\n\n10   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                    UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               tional Coordinator. The Coordinator is responsible for fostering\n                               international CIP cooperation, directing departmental and inter-\n                               agency efforts across the range of international CIP issues, and co-\n                               ordinating all U.S. Government foreign affairs activities.\n                                   The NSC Critical Infrastructure Coordination Group tasked its\n                               Subgroup on International Cooperation, chaired by the Assistant\n                               Secretary of INL, to assess international CIP issues and respond\n                               with global solutions. In August 2000, the Subgroup issued an in-\n                               ternational CIP outreach strategy report prepared by the Foreign\n                               Affairs Functional Coordinator.\n\n                               Critical Infrastructure Protection Plan\n\n                               The National Critical Infrastructure Assurance Office issued the\n                               National Plan for Information Systems Protection in January 2000 as called\n                               for by PDD-63. The Plan proposes 10 programs for achieving the\n                               objectives of (a) preparing for and preventing intrusions, (b) detect-\n                               ing and responding to intrusions, and (c) building strong cyber secu-\n                               rity foundations.10\n                                   The Department issued its CIPP and started its vulnerability\n                               assessment process in February and April 1999, respectively, be-\n                               cause it already had the benefit of an extensive body of information\n                               assurance policies, procedures, and programs. Several OIG, DS,\n                               and General Accounting Office reports indicating the nature and\n                               scope of the Department\xe2\x80\x99s cyber security vulnerabilities were also\n                               available.\n                                    The Under Secretary for Management delegated to the Chief\n                               Information Officer (CIO), responsibility for protecting the\n                               Department\xe2\x80\x99s cyber systems, and delegated to the Assistant Secre-\n                               tary for DS, as the Chief Infrastructure Assurance Officer, respon-\n                               sibility for overseeing protection of the remaining critical infrastruc-\n                               ture. The Under Secretary for Management also established the\n                               Virtual Governance Board, Vulnerability Assessment Working\n                               Group, and Security Infrastructure Working Group to coordinate\n                               and implement the CIPP, the Integrated Systems Security Manage-\n                               ment Plan, and the Comprehensive Risk Management Plan.\n\n\n                                   10\n                                        Preparing for, preventing, detecting and responding to intrusions addresses\n                               critical infrastructure assets, shared interdependencies, and vulnerabilities by mini-\n                               mizing the possibility of significant attacks on national critical infrastructure, and\n                               building an infrastructure that remains effective when attacked.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                       11\n\n\n                                  UNCLASSIFIED\n\x0c                    UNCLASSIFIED\n\n\n                  The CIPP describes the Department\xe2\x80\x99s plans to reduce risks to\n               minimum-essential cyber infrastructure and other mission critical\n               cyber systems. At the time of our review, the Department had:\n                   \xe2\x80\xa2 defined minimum-essential infrastructure, identified domestic\n                     minimum-essential cyber and physical infrastructure security\n                     vulnerabilities and initiated risk assessments to determine\n                     how best to address the vulnerabilities;\n                   \xe2\x80\xa2 established an organizational structure for developing CIP\n                     priorities and funding;\n                   \xe2\x80\xa2 implemented an intrusion detection system to detect and\n                     respond to cyber attacks;\n                   \xe2\x80\xa2 prepared a critical infrastructure reconstitution11 plan in case\n                     of successful infrastructure attacks; and\n                   \xe2\x80\xa2 established a cyber security awareness program and shared\n                     cyber threat intelligence with other agencies.\n\n\n\n\n                   11\n                       A system to reconstitute minimum required capabilities for varying levels of\n               successful infrastructure attacks in a rapid manner.\n\n\n\n\n12   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                    UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\nFindings\n\n                               The Department can do more to enhance the results of its efforts\n                               to carry out its Foreign Affairs Lead Agency role and to address the\n                               minimum-essential cyber infrastructure requirements of PDD-63.\n                                    The international outreach strategy developed by the Subgroup\n                               on International Cooperation under the Department\xe2\x80\x99s leadership\n                               emphasizes international law enforcement consultations with a few\n                               close allies. In contrast, PDD-63 encourages international CIP co-\n                               operation with like-minded and friendly nations, international orga-\n                               nizations, and multinational corporations and a focus on preventa-\n                               tive measures as well as threat and crisis management. The\n                               Department\xe2\x80\x99s International Information Programs Coordinator\n                               should assist the Subgroup on International Cooperation expand\n                               and enhance the strategy to include encouraging a wide range of\n                               like-minded and friendly governments to implement effective CIP\n                               measures.\n                                   The Department\xe2\x80\x99s CIPP has 11 objectives addressing PDD-63\n                               requirements for minimum-essential infrastructure, vulnerability\n                               assessments, risk analysis and remediation, warning systems, re-\n                               sponse capabilities, reconstitution plans, and education and aware-\n                               ness programs. Although the plan provides a suitable framework\n                               for protecting minimum-essential cyber infrastructure, it falls short\n                               of what PDD-63 requires.\n\n\n\nForeign Affairs Lead           The President\xe2\x80\x99s Commission on Critical Infrastructure Protection\nAgency                         wrote in its 1997 report, Critical Foundations: Protecting America\xe2\x80\x99s Infra-\n                               structure that the United States is in the vanguard of countries to\n                               deal with international CIP. The Commission concluded that the\n                               status of the United States gives it the opportunity to shape interna-\n                               tional cooperation and positively influence governments and infra-\n                               structure owners and operators who share our global community.\n                               Achieving the Commission\xe2\x80\x99s goal will require substantial interna-\n                               tional collaboration beyond the limitations of the existing interna-\n                               tional outreach strategy.\n                                    The situation described by the President\xe2\x80\x99s Commission still ex-\n                               ists according to the Director of the National Infrastructure Protec-\n                               tion Center. On April 5, 2001, the Director testified before the\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                           13\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n               House Energy and Commerce Committee, Oversight and Investi-\n               gations Subcommittee, that information warfare against the critical\n               infrastructures of the United States and other nations is perhaps the\n               greatest cyber threat to our national security. He further testified\n               that terrorists groups are using cyber technology for planning, fund\n               raising, propaganda, and secure communications, and that foreign\n               intelligence services have adapted cyber tools to their information\n               gathering tradecraft.\n                   In combating this situation, PDD-63 requires the U.S. Govern-\n               ment to encourage international cooperation to help manage the\n               global CIP problem and to focus its efforts on preventative mea-\n               sures and threat and crisis management involving like-minded and\n               friendly nations, international organizations, and multinational cor-\n               porations. The NSC Critical Infrastructure Coordination Group\n               designated the Subgroup on International Cooperation, chaired by\n               the Foreign Affairs Functional Coordinator, to coordinate these\n               efforts.\n                   Under the direction of the Subgroup on International Coopera-\n               tion, and following interagency discussions and consultations, the\n               Foreign Affairs Functional Coordinator published a classified plan,\n               CIP: A Four Track Approach to International Outreach,12 in August 2000.\n               The plan provides guidance and procedures for coordinating U.S.\n               Government international CIP activities. Priorities for cooperation\n               with other countries are governed by the extent to which the U.S.\n               depends on the infrastructure of the other countries or groups of\n               countries. Although the document discusses promoting CIP aware-\n               ness and security standards, it emphasizes law enforcement as key to\n               dealing with global minimum-essential cyber infrastructure security.\n               Further, the document contains no discussion of preventative pro-\n               tective measures the U.S. Government should take to enhance inter-\n               national CIP.\n                   The document places minimal emphasis on developing global\n               solutions by expanding cooperation on CIP preventative measures\n               with like-minded and friendly nations, international organizations,\n               and multinational corporations, as envisioned by PDD-63. As sug-\n               gested by the President\xe2\x80\x99s Commission on Critical Infrastructure\n               Protection, the most effective and efficient method for achieving\n\n\n\n\n                   12\n                        See Appendix D for an unclassified summary of the strategy.\n\n14   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               increased protection from cyber threats involves a strategy of coop-\n                               eration and information sharing among infrastructure owners and\n                               operators and relevant government entities. In addition, the Com-\n                               mission pointed out the need for comprehensive awareness and\n                               education programs at all levels of society.\n                                   INL officials told us resource constraints and national security\n                               concerns cause this lack of emphasis on a wider global effort.\n                               However, according to the Department\xe2\x80\x99s International Information\n                               Programs Coordinator, it already has resources available to assist\n                               the Subgroup on International Cooperation of the NSC Critical\n                               Infrastructure Coordination Group in developing a broad outreach\n                               program as envisioned by PDD-63. Presumably, the Department\n                               would implement such efforts within appropriate national security\n                               constraints.\n\n                               Strengthening International Critical Infrastructure\n                               Protection\n\n                               Compared to the approach described in PDD-63, the Subgroup on\n                               International Cooperation of the NSC Critical Infrastructure Coor-\n                               dination Group has adopted a constrained strategy for strengthen-\n                               ing international CIP.\n                                    PDD-63 directs the Federal Government to take a global and\n                               preventative approach to expanding CIP cooperation among like-\n                               minded and friendly nations, international organizations, and multi-\n                               national corporations without any stated limit on the extent of our\n                               critical infrastructure interdependencies. PDD-63 is not in any way\n                               focused on regulating the use of global information technology and\n                               systems. This approach recognizes that, in cyber-space, the United\n                               States is interdependent with a wide range of countries, and that\n                               globally shared responsibility and partnership among critical infra-\n                               structure owners and operators and governments, not additional\n                               regulations, are key to the success of international CIP.\n                                   The Subgroup on International Cooperation chose, however, to\n                               constrain its strategy to focusing on the extent to which the United\n                               States is dependent on the infrastructure, economy, or government\n                               of a hand full of other countries. The highest priorities of the\n                               strategy are on bilateral, interagency, and sector specific CIP work\n\n\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                     15\n\n\n                                  UNCLASSIFIED\n\x0c                    UNCLASSIFIED\n\n\n               with strategic partners and a few international organizations13 with\n               the goal of jointly regulating the use of global information technol-\n               ogy and systems. The first priority countries are those that the\n               United States has the greatest degree of infrastructure interdepen-\n               dency. The second priority countries are those with which we have\n               limited infrastructure interdependencies but significant economic\n               and governmental interdependencies and opportunities for coop-\n               erative efforts. The lowest priority is on bilateral and multilateral\n               CIP awareness-raising activities involving a broad range of friendly\n               and like-minded countries and regional groups as described in\n               PDD-63.\n                   The Subgroup on International Cooperation could initiate a\n               more substantial international CIP collaboration effort by having\n               the lead agencies for all sectors provide the Department\xe2\x80\x99s geo-\n               graphic bureaus and posts with public sector-specific CIP material,\n               and lists of contacts that their foreign counterparts can access for\n               CIP awareness, technical assistance and training.14\n                   Further, the Department\xe2\x80\x99s International Information Programs\n               Coordinator is available to facilitate international CIP outreach and\n               cooperation.15 Under the collaborative guidance of the Coordinator\n               and the Subgroup on International Cooperation, posts could spon-\n               sor host country, sector specific, and regional working groups that\n               include representatives of host country government and private\n               entities and international organizations,16 in order to share CIP in-\n               formation. An International Information Programs Coordinator\n\n\n\n\n                   13\n                     For example, the United Nations, North Atlantic Treaty Organization, G\n               8, Council of Europe, Asian Pacific Economic Council, and Organization of\n               American States.\n                   14\n                      An example involved the Department and several Federal agencies in the\n               Year 2000 International Interagency Working Group. They reviewed Year 2000\n               preparations overseas and assisted dozens of countries.\n                   15\n                       Such an effort would be similar to the global public diplomacy campaign, led\n               by the former U.S. Information Agency that addressed host country and cross-\n               border Year 2000 issues.\n                   16\n                       In 1999, posts formed working groups with the embassies of other countries\n               to discuss Year 2000 issues among themselves and with host country representa-\n               tives. This was an effective method for exchanging information and coordinating\n               contingency planning.\n\n\n16   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                    UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               representative said the office could facilitate a variety of CIP out-\n                               reach efforts, if requested by the Foreign Affairs Functional Coor-\n                               dinator on behalf of the Subgroup on International Cooperation.17\n                                   Although global cooperation on such technically complex issues\n                               is often difficult, officials in the countries we visited said the United\n                               States could provide global CIP leadership because of its cyber se-\n                               curity experience and expertise and suggested the United States\n                               could play an active role in increasing global CIP awareness, techni-\n                               cal assistance, and training.\n\n                                 Recommendation 1: We recommend the Assistant Secretary\n                                 for International Narcotics and Law Enforcement Affairs, acting\n                                 as the Foreign Affairs Functional Coordinator, seek to have the\n                                 National Security Council Policy Coordination Committee on\n                                 Counter-Terrorism and National Preparedness, which incorpo-\n                                 rates the Subgroup on International Cooperation of the NSC\n                                 Critical Infrastructure Coordination Group, expand its approach\n                                 to international critical infrastructure protection. This approach\n                                 should include:\n\n                                   \xe2\x80\xa2 coordinating the efforts of U.S. Government sector leaders to\n                                     provide critical infrastructure protection information and\n                                     assistance to a wide range of friendly countries requesting\n                                     such assistance;\n                                   \xe2\x80\xa2 focusing the efforts of U.S. Government sector leaders,\n                                     Department missions, trade and business groups, and\n                                     international organizations on actively promoting critical\n                                     infrastructure protection preventative measures;\n                                   \xe2\x80\xa2 encouraging multilateral cooperation, contingency planning,\n                                     and open exchange of public information with the widest\n                                     possible range of friendly countries and international\n                                     organizations;\n                                   \xe2\x80\xa2 supporting Department of State posts in engaging foreign\n                                     governments in joint efforts to prevent or otherwise solve\n                                     critical infrastructure protection problems; and\n\n\n                                   17\n                                      During Y2K preparations, the former U.S. Information Agency developed\n                               a readiness database for 16 critical infrastructure sectors in foreign countries. Posts\n                               supplied data using vulnerability and readiness criteria developed by the Year 2000\n                               International Interagency Working Group chaired by the Department. A similar\n                               database of CIP vulnerability and readiness assessments would be useful for con-\n                               tingency planning by the Department and other agencies with an overseas presence.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                       17\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n                  \xe2\x80\xa2 using the expertise and resources of the International\n                    Information Programs Coordinator in developing and\n                    implementing the Working Group\xe2\x80\x99s outreach efforts.\n                   Comments by the Bureau of International Narcotics and\n               Law Enforcement Affairs: In its written comments, the Bureau\n               stated the draft report contains many helpful observations and sug-\n               gestions. However, the Bureau also criticized this section of our\n               report, stating that it mischaracterized the U.S. Government\xe2\x80\x99s inter-\n               national outreach strategy. The Bureau stated that PDD-63 di-\n               rected the Subgroup to develop an international plan \xe2\x80\x9cas a subordi-\n               nate and related task\xe2\x80\x9d to completing the first ever U.S. National In-\n               frastructure Assurance Plan.\n                    In our view, because the President issued the National Plan for\n               Information Systems Protection, the subject of this report, 8 months\n               before the international outreach strategy was developed, the Bu-\n               reau had few constraints in how comprehensively it developed the\n               international strategy\n                   Our recommendation, if implemented, would enhance the in-\n               ternational strategy by allowing the Department as a whole, and\n               other public, private and nongovernmental organizations, to address\n               PDD-63\xe2\x80\x99s explicit goals for the Federal Government to:\n                  \xe2\x80\xa2 protect the security of our globally linked domestic and\n                    international critical cyber infrastructure,\n                  \xe2\x80\xa2 encourage international cooperation to help manage \xe2\x80\x9cthis\n                    increasingly global problem,\xe2\x80\x9d\n                  \xe2\x80\xa2 encourage market incentives and other actions to help\n                    harness the latest technologies to accomplishing \xe2\x80\x9cglobal\n                    solutions\xe2\x80\x9d to international problems,\n                  \xe2\x80\xa2 focus on preventative measures, and\n                  \xe2\x80\xa2 establish an international cooperation \xe2\x80\x9cplan to expand\n                    cooperation on critical infrastructure protection with like-\n                    minded and friendly nations, international organizations and\n                    multinational corporations.\xe2\x80\x9d\n                    Comments by the International Information Programs\n               Coordinator: The Acting Coordinator stated his organization is\n               willing to assist in the type of international public information and\n               assistance called for in this report. He noted, however, that such an\n               effort would require the ongoing level of resources support the De-\n               partment committed to addressing Y2K. We believe the Assistant\n               Secretary for International Narcotics and Law Enforcement Affairs\n\n\n18   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               should work with the Acting Coordinator to identify the resources\n                               needed for a sustained effort to broaden the international outreach\n                               strategy, and present the results of that analysis to the Subgroup on\n                               International Cooperation to include in the international outreach\n                               strategy.\n                                   Comments by the Bureau of Information Resource\n                               Management: The Chief Information Officer observed that infor-\n                               mation management officers and others at our posts are trained and\n                               experienced in critical information technology protection, and have\n                               experience in working with foreign organizations and governments\n                               in addressing information technology security issues. We agree with\n                               the Chief Information Officer that enlisting their assistance, just as\n                               the Department did most recently during our government\xe2\x80\x99s interna-\n                               tional Year 2000 preparations, could further the international coop-\n                               eration goals of PDD-63.\n\n                               Law Enforcement Assistance\n\n                               Growth in international cyber crime demonstrates the need for\n                               greater international law enforcement cooperation. Effectively re-\n                               sponding to this threat requires that U.S. and foreign law enforce-\n                               ment authorities be able to overcome cultural, linguistic, legal and\n                               digital barriers that hamper the appropriate and timely exchange of\n                               criminal investigative information.\n                                   These issues were brought to the forefront at the July 26, 2000\n                               hearing of the Subcommittee on Government Management, Infor-\n                               mation and Technology of the House Committee on Government\n                               Reform on Computer Security: A War without Borders. The Subcommit-\n                               tee Chairman noted that not all countries have the capability to de-\n                               tect and address international computer attacks. He further noted\n                               that even with countries that have law enforcement agencies and\n                               organizations that can investigate and share cyber-attack informa-\n                               tion, there is a question among the variety of players regarding who\n                               is coordinating an efficient, effective response to this international\n                               problem. The Subcommittee examined the challenges of coordi-\n                               nating these cyber-attack investigations.\n                                    In a similar vein, we found that although the law enforcement\n                               officials we met overseas were pleased with the assistance they re-\n                               ceived from the U.S. Government, they told us they need more help\n                               to enhance awareness and training at all levels of law enforcement,\n                               and improve the efficiency and scope of investigative assistance\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                       19\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n               that can be obtained from the large variety of law enforcement ju-\n               risdictions and organizations in the United States in order to obtain\n               timely access to cyber evidence.\n\n               Training and Technical Assistance\n\n               The countries we visited have strengthened their cyber criminal\n               laws, investigative and prosecution organizations, and international\n               ties for conducting investigations. They have participated in multi-\n               lateral and bilateral efforts to address the problems, and have sent\n               staff to the United States for bilateral discussions and training.\n               Some countries and international organizations are establishing spe-\n               cialized units to address cyber crime in their countries. The Euro-\n               pean Union plans to issue guidelines to member countries for fight-\n               ing cyber crimes including recommended cyber crime laws, and the\n               G 8 is drafting recommended cyber crime laws and a cyber crime\n               treaty for member countries.\n                   Our government could enhance these positive efforts to fight\n               cyber crime by providing additional training and technical assis-\n               tance, especially to a wide range of friendly developed and develop-\n               ing countries. It does little good to strengthen laws and treaties if\n               law enforcement officials and staff do not know enough about\n               cyber technology to judiciously handle a wide range of cyber crime\n               investigations and cases. Providing friendly countries with neces-\n               sary expertise and materials to train officials and staff in the judi-\n               ciary, prosecution, and police would go a long way to address these\n               needs. For example, the Federal Bureau of Investigation Academy\n               can provide investigative computer instruction, training, and cur-\n               riculum for foreign law enforcement personnel.\n\n                Recommendation 2: We recommend the Assistant Secretary\n                for International Narcotics and Law Enforcement Affairs, acting\n                as the Foreign Affairs Functional Coordinator, work with U.S.\n                Government and nongovernmental organizations to provide\n                friendly foreign governments with opportunities for obtaining\n                cyber law enforcement training and technical assistance.\n\n                  Bureaus\xe2\x80\x99 Comments: The Bureaus did not comment on\n               Recommendation 2.\n\n\n\n\n20   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               Investigative Assistance\n\n                               Law enforcement officials in the countries we visited told us the\n                               two biggest problems in international investigations involve obtain-\n                               ing information, because legal criminal law and procedures vary\n                               among countries, and obtaining support from host country law en-\n                               forcement agencies. For example, one of the major problems faced\n                               in dealing with Internet crime is obtaining timely access to useful\n                               information from foreign Internet service providers. The normal\n                               procedure for obtaining such information involves an international\n                               letters rogatory followed by a court order or subpoena, which can\n                               be a time-consuming process. However, with some types of com-\n                               puter crime, and specifically cyber intrusions, an immediate re-\n                               sponse is necessary by law enforcement, since data needed for evi-\n                               dence are generally only stored for a brief time period.\n                                    A possible solution to the investigative assistance problem was\n                               suggested by the Chief, Computer Crime Unit, Swedish National\n                               Crime Investigation Department, in his July 2000 testimony before\n                               the hearing on Computer Security: A War without Borders of the Sub-\n                               committee on Government Management, Information, and Tech-\n                               nology. The Chief testified that the major problem his unit faces in\n                               coping with Internet crime is obtaining access to investigative infor-\n                               mation from foreign internet service providers and responsible web\n                               managers. Normally, providers request court orders, subpoenas or\n                               other formal domestic dispositions before they provide the re-\n                               quested information. Such requests involve time-consuming and\n                               difficult international letters rogatory. One way to address these\n                               problems, he suggested would be international agreements to re-\n                               lease subscriber information and address logs to foreign law en-\n                               forcement authorities without formal letter rogatory requests in a\n                               manner that ensured proper handling of the information.\n                                   The officials we met suggested establishing improved communi-\n                               cation channels for more efficient and effective processing of inves-\n                               tigative assistance requests and improved procedures for gaining\n                               access to evidence in a more timely manner. An example is setting\n                               up special communication channels that would be open 24 hours a\n                               day to handle urgent and critical cases. They also recommended\n                               governments give their central investigative agencies authority to act\n                               immediately to preserve evidence crucial to international cyber in-\n                               vestigations.\n\n\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                       21\n\n\n                                  UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n                             Recommendation 3: We recommend the Assistant Secretary\n                             for International Narcotics and Law Enforcement Affairs, acting\n                             as the Foreign Affairs Functional Coordinator, work with the\n                             Department of Justice to identify and disseminate through posts\n                             more efficient and effective communications channels for pro-\n                             cessing foreign governments\xe2\x80\x99 investigative assistance requests,\n                             and improved procedures for gaining more timely access to evi-\n                             dence, that foreign law enforcement entities can use to enhance\n                             their investigations of cyber crimes involving United States enti-\n                             ties and individuals.\n\n                               Bureaus\xe2\x80\x99 Comments: The Bureaus did not comment on\n                            Recommendation 3.\n\n\n\nCritical                    The Department established a CIPP with 11 objectives addressing\nInfrastructure              the PDD-63 requirements for minimum-essential infrastructure,\nProtection Plan             vulnerability assessments, risk analysis and remediation, warning\n                            systems, response capabilities, reconstitution plans, and education\n                            and awareness programs. Although the Department implemented\n                            several important parts of the plan for its domestic operations, and\n                            established a suitable framework for addressing its minimum- essen-\n                            tial infrastructure, it excluded important elements from the CIPP\n                            and vulnerability assessment processes. Specifically,\n                               \xe2\x80\xa2 The Department has not assessed the vulnerabilities of its\n                                 minimum-essential cyber infrastructure in its foreign\n                                 operations.\n                               \xe2\x80\xa2 The Department\xe2\x80\x99s CIPP, policies, and procedures do not\n                                 adequately address the OMB Circular No. A-130, Appendix\n                                 III requirement to review the security controls of all\n                                 automated information systems, including those that are part\n                                 of its minimum-essential infrastructure, at least once every 3\n                                 years.\n                               \xe2\x80\xa2 The Department has not assessed vulnerabilities in its\n                                 interagency connections.\n                               \xe2\x80\xa2 The Department\xe2\x80\x99s CIPP, policies, and procedures do not\n                                 specify how the Department will ensure that all employees\n                                 and contractors are trained on required CIP concepts and\n                                 skills applicable to their respective involvement with the\n                                 Department\xe2\x80\x99s minimum-essential cyber infrastructure.\n\n\n\n22                OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                                UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                                   \xe2\x80\xa2 The Department\xe2\x80\x99s CIPP and associated policies do not\n                                     require bureaus and posts to notify the Corporate\n                                     Information System Security Officer of the designation of\n                                     Information System Security Officers and their alternates.\n\n                               Department\xe2\x80\x99s Foreign Operations\n\n                               The Department did not include foreign operations in its PDD-63\n                               planning, and the CIPP and vulnerability assessments did not ad-\n                               dress the role of foreign operations in protecting minimum-essen-\n                               tial infrastructure. Further, the Department did not consult the Di-\n                               rector of Central Intelligence Center for Security Evaluation18 dur-\n                               ing preparation of the CIPP and the vulnerability assessment re-\n                               garding potential minimum-essential cyber security issues affecting\n                               the intelligence community abroad.\n                                   The Department provides minimum-essential cyber infrastruc-\n                               ture support for its own operations and those of other U.S. Gov-\n                               ernment agencies operating overseas. These overseas operations\n                               are essential to U.S. Government foreign policy and relations, na-\n                               tional defense, and American interests abroad. The OIG has issued\n                               several reports on vulnerabilities in the Department\xe2\x80\x99s foreign cyber\n                               operations, including inadequate security of classified and unclassi-\n                               fied systems. Whether the Department or the other agencies con-\n                               sider the overseas cyber infrastructure minimum-essential has not\n                               yet been determined.\n\n                                 Recommendation 4: We recommend the Chief Information\n                                 Officer and the Assistant Secretary for Diplomatic Security ad-\n                                 dress the Department\xe2\x80\x99s foreign operations in subsequent critical\n                                 infrastructure protection plans and vulnerability assessments to\n                                 determine what, if any, overseas minimum-essential cyber infra-\n                                 structure should be subject to vulnerability assessments. In do-\n                                 ing so, Department officials should include representatives of\n                                 other agencies having an overseas presence in developing the\n                                 overseas portion of the plans, and conducting and assessing the\n                                 overseas portion of the vulnerability assessments as appropriate.\n\n\n\n\n                                   18\n                                       This organization is responsible for protecting intelligence sources and meth-\n                               ods information in U.S. Diplomatic facilities abroad based on its analysis of for-\n                               eign intelligence vulnerabilities and countermeasures.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                       23\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n                   Comments of the Bureau of Information Resource Man-\n               agement: The Bureau of Information Resource Management con-\n               curred in Recommendation 4.\n                   Comments by the Bureau of Diplomatic Security: The Bu-\n               reau of Diplomatic Security agreed that this critical area requires\n               PDD-63 assessment, and said the Department plans to address this\n               recommendation during the next phase of its continuing PDD-63\n               vulnerability assessment process.\n\n               Periodically Assessing Security Controls\n\n                    PDD-63 requires frequent assessments of the reliability, vulner-\n               ability, and threat environment of minimum-essential cyber infra-\n               structure so that organizations can address changing technology and\n               threats with appropriate protective measures and responses. OMB\n               Circular No. A-130, Appendix III requires evaluating the security\n               controls of all automated information systems (presumably includ-\n               ing minimum-essential cyber infrastructure) at least once every 3\n               years, and whenever there are significant changes to the systems.\n                   Although DS planned to increase its evaluation activities, there\n               is no supporting schedule or policy regarding minimum-essential\n               cyber infrastructure. Further, the CIPP and Department policies\n               make no reference to testing minimum-essential cyber infrastruc-\n               ture for security controls vulnerabilities at least once every 3 years\n               as required for all cyber systems by OMB Circular No. A-130, Ap-\n               pendix III. DS has issued security software toolkits to identify inap-\n               propriate security configurations in unclassified systems, but none\n               for minimum-essential cyber infrastructure.\n                    We are recommending that DS evaluate cyber minimum-essen-\n               tial infrastructure security controls at least once every 3 years be-\n               cause that is the only Federal Government criteria at this time.\n               However, we believe DS should consider more frequent testing of\n               those controls given the very dynamic threat environment faced by\n               the Department\xe2\x80\x99s cyber minimum-essential infrastructure, and the\n               importance of that infrastructure to mission accomplishment.\n\n                Recommendation 5: We recommend the Bureau of Diplo-\n                matic Security schedule and conduct security controls evalua-\n                tions of all minimum-essential cyber infrastructure at least once\n                every 3 years, and whenever there are significant changes to\n                minimum-essential cyber infrastructure, both as required by\n                OMB Circular No. A-130, Appendix III.\n\n24   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\n                                 Recommendation 6: We recommend the Bureau of Diplomatic\n                                 Security modify 12 Foreign Affairs Manual 600, and the Bureau\n                                 of Information Resource Management amend the Critical Infra-\n                                 structure Protection Plan, to require periodic security control\n                                 evaluations of all minimum-essential cyber infrastructure at least\n                                 once every 3 years.\n\n                                    Comments by the Bureau of Diplomatic Security: The Bu-\n                               reau commented that it had periodically conducted penetration tests\n                               on the Department\xe2\x80\x99s networks, but that it will not conduct addi-\n                               tional evaluations until December 2003. Although the Bureau is\n                               augmenting its capabilities, it recommended limiting periodic secu-\n                               rity controls evaluations to only those systems identified in the Vul-\n                               nerability Assessment Reports.\n                                   Although we are pleased the Bureau is committing more re-\n                               sources to this effort, we are concerned that these resources will not\n                               be fully deployed until December 2003. It is not making an explicit\n                               commitment to meeting OMB Circular No. A-130, Appendix III\n                               requirements to schedule and conduct security controls evaluations\n                               once every 3 years, at least as they pertain to all minimum-essential\n                               cyber infrastructures. Regarding the Bureau\xe2\x80\x99s desire to limit the\n                               scope of the evaluations, we remind the Bureau that OMB Circular\n                               No. A-130, Appendix III requires such evaluations for all auto-\n                               mated information systems in the Department.\n                                    Comments of the Bureau of Information Resource\n                               Management: The Chief Information Officer concurred with the\n                               recommendation to conduct security control evaluations periodi-\n                               cally and whenever there are significant changes to minimum-essen-\n                               tial cyber infrastructure. The CIO suggested we change the recom-\n                               mendation to conduct the evaluations more often, perhaps once\n                               every 18 months as in evaluations of secure communications\n                               (COMSEC) systems, because of the many changes in configura-\n                               tions and threats. We left it at 3 years as required by OMB Circular\n                               No. A-130, Appendix III.\n\n                               Critical Interagency Systems Vulnerabilities\n\n                               The national minimum-essential information systems protection\n                               plan requires agencies to identify shared interdependencies and vul-\n                               nerabilities. The plan focuses on minimum-essential systems that\n                               cross between agencies and are interdependent for their security.\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                       25\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n               The Department\xe2\x80\x99s vulnerability assessment did not address the po-\n               tential impact on national minimum-essential infrastructure of its\n               cyber connections with other agencies.\n\n               Assessments of Interagency Minimum-Essential\n               Infrastructure Vulnerabilities\n\n               The National Plan for Information Systems Protection prepared by\n               the National Coordinator for Security, Infrastructure Protection,\n               and Counter-Terrorism calls for agencies to identify their critical\n               infrastructure system interdependencies and their associated shared\n               threats and vulnerabilities. The Department did not assess the vul-\n               nerabilities in its minimum-essential cyber infrastructure relation-\n               ships with other agencies. One example is that the Foreign Service\n               National Pay System\xe2\x80\x99s direct connections to the Department of\n               Treasury minimum-essential information systems may pose some\n               risks to the Department of Treasury\xe2\x80\x99s minimum-essential cyber in-\n               frastructure.\n\n                Recommendation 7: We recommend the Chief Information\n                Officer and Bureau of Diplomatic Security ensure that subse-\n                quent critical infrastructure protection plans and vulnerability\n                assessments address minimum-essential interagency infrastruc-\n                ture vulnerabilities.\n\n\n                   Comments of the Bureau of Information Resource Man-\n               agement: The Bureau of Information Resource Management con-\n               curred with Recommendation 7.\n                    Comments by the Bureau of Diplomatic Security: The Bu-\n               reau commented that the Department has developed plans to assess\n               interdependencies with other agencies during subsequent phases of\n               its vulnerability assessment activities. We anticipate those plans will\n               be described in the next version of the Department\xe2\x80\x99s Critical Infra-\n               structure Protection Plan.\n\n               Interagency CIP Training and Exercises\n\n               PDD-63 generally and the Department\xe2\x80\x99s CIPP specifically requires\n               the Foreign Service Institute to establish training and exercises in-\n               volving interagency critical infrastructure protection practices and\n               procedures using guidance provided by DS and IRM. However, DS\n\n\n26   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               and IRM have not provided the Foreign Service Institute with the\n                               guidance it needs to develop the interagency CIP training and exer-\n                               cises required by PDD-63 and the Department\xe2\x80\x99s CIPP.\n\n                                 Recommendation 8: We recommend the Assistant Secretary\n                                 for Diplomatic Security, Chief Information Officer, and the Di-\n                                 rector of the Foreign Service Institute jointly develop and imple-\n                                 ment interagency critical infrastructure protection practices and\n                                 procedures training and exercises that meets the requirements of\n                                 Presidential Decision Directive 63.\n\n                                    Comments by the Bureau of Diplomatic Security: The\n                               Bureau commented that the Vulnerability Assessment Working\n                               Group, in concert with the Bureau of Information Resource Man-\n                               agement and the Foreign Service Institute, will identify opportuni-\n                               ties to develop materials and courses to meet this requirement.\n                                   Comments of the Bureau of Information Resource Man-\n                               agement: The Bureau of Information Resource Management con-\n                               curred with Recommendation 8.\n\n                               Designations of Information System Security\n                               Officers and Alternates\n\n                               The Omnibus Diplomatic Security and Antiterrorism Act of 1986\n                               requires the Secretary of State to develop and implement security-\n                               related procedures and programs for U.S. Government foreign op-\n                               erations. Primary responsibility for the security of posts rests with\n                               the Chiefs of Mission under 1 FAM 013.2 and 2 FAM 113.1. Assis-\n                               tant Secretaries have the same responsibilities for domestic opera-\n                               tions under provisions of 12 FAM 615.18. However, there is no\n                               requirement for Chiefs of Mission and Assistant Secretaries to no-\n                               tify DS or the Corporate Information System Security Officer when\n                               employees are designated Information System Security Officers or\n                               alternates. Consequently, DS cannot ensure the designees have suf-\n                               ficient training and experience to perform their Information System\n                               Security Officer responsibilities, which could result in unidentified\n                               minimum-essential cyber infrastructure vulnerabilities.\n\n\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                      27\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n\n                Recommendation 9: We recommend that the Bureau of Dip-\n                lomatic Security amend 12 Foreign Affairs Manual 600 to require\n                that it be given the names of Information System Security Offic-\n                ers, and their alternates, in a timely manner, and that the Bureau\n                of Diplomatic Security ensure all designees have sufficient expe-\n                rience and training.\n\n                   Comments by the Bureau of Diplomatic Security: The\n               Bureau commented that 12 Foreign Affairs Manual 600 will be\n               amended to require that written notification of appointments or\n               changes be sent to the Bureau, and that the Bureau will provide the\n               information to other pertinent offices.\n                   Comments by the Bureau of Information Resource\n               Management: The Bureau of Information Resource Management\n               suggested we revise Recommendation 9 to include the Corporate\n               Information Systems Security Officer. The Bureau of Diplomatic\n               Security has committed to providing the information to all other\n               pertinent offices. We believe that having a single point of contact\n               for this reporting will cause less confusion among Information Sys-\n               tems Security Officers here and abroad.\n\n               Minimum-Essential Cyber Infrastructure Security\n               Awareness and Training\n\n               Information technology security awareness and training can reduce\n               exposure to known risks, but only if all employees are appropriately\n               educated about the security of minimum-essential cyber infrastruc-\n               ture. The Department does not have sufficient policies, procedures,\n               and programs to assure that employees are trained to properly se-\n               cure the Department\xe2\x80\x99s information systems in general and its mini-\n               mum-essential cyber infrastructure in particular.\n                   The Computer Security Act of 1987 requires mandatory peri-\n               odic security awareness and training in accepted security practices\n               for everyone involved in managing, using, or operating sensitive\n               cyber systems. The training is required to enhance awareness of\n               cyber vulnerabilities and threats, and encourage improved security\n               practices. The procedures, scope, and manner of the security\n               awareness and training must comply with National Institute of\n               Standards and Technology (NIST) and U.S. Office of Personnel\n               Management (OPM) guidance. (See Appendix C for the require-\n               ments.)\n\n\n28   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                                   OPM requires information technology security training for new\n                               employees within 60 days of hiring.19 OPM also requires that all\n                               employees receive the training when they enter new positions deal-\n                               ing with sensitive information, or when their information security\n                               environment or procedures change significantly. OPM also requires\n                               periodic refresher training.\n                                    The Under Secretary for Management\xe2\x80\x99s directive, Security of\n                               Automated Information Systems, mandates establishing security\n                               education and awareness programs to inform managers and em-\n                               ployees of their responsibilities. DS is responsible for administering\n                               the Department\xe2\x80\x99s information systems security training and aware-\n                               ness program, including minimum-essential cyber infrastructure.\n                               The Under Secretary\xe2\x80\x99s directive has criteria for measuring compli-\n                               ance with the security standards and states that assistant secretaries\n                               will be held accountable for adhering to published security stan-\n                               dards.\n                                    In October 2000, the Secretary of State sent a cable to all posts\n                               requiring that proper handling and safeguarding of classified mate-\n                               rial and information be included in the work requirements state-\n                               ments and employee evaluation reports of all Foreign Service em-\n                               ployees and supervisors. The Director General of the Foreign Ser-\n                               vice and Director of Human Resources (DGHR) are developing\n                               similar requirements for Civil Service employees and supervisors,\n                               which will become effective starting with the 2001 performance\n                               plans.\n                                   Currently, only computer operations staff and applications\n                               managers are accountable for information system security under 12\n                               FAM 600. However, 12 FAM 600 does not reference the new De-\n                               partment policies requiring that supervisors use performance re-\n                               quirements and appraisal processes to hold employees accountable\n                               for meeting the Department\xe2\x80\x99s information security standards, in-\n                               cluding those that relate to minimum-essential cyber infrastructure.\n                                   Although the 12 FAM 600 appendix identifies the Computer\n                               Security Act of 1987, and the NIST, OPM, and National Security\n                               Telecommunications and Information Systems Security Committee\n\n\n\n\n                                   19\n                                     Source: 5 CFR Part 930, Subpart C, Employees Responsible for the Man-\n                               agement or Use of Federal Computer Systems.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                           29\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n               (NSTISSC) awareness and training requirements, it does not de-\n               scribe how the Department will implement those requirements.\n               Specifically:\n                   \xe2\x80\xa2 12 FAM 600 does not reference the OPM requirement that\n                     all personnel with access to the Department\xe2\x80\x99s information\n                     systems are to have site-specific information technology\n                     systems security training related to their responsibilities for\n                     the systems within 60 days of their being granted access to\n                     the systems;\n                   \xe2\x80\xa2 12 FAM 600 does not require periodic and threat-specific\n                     continuing or refresher cyber security training as required by\n                     the Computer Security Act of 1987;\n                   \xe2\x80\xa2 12 FAM 600 does not require certification that all personnel\n                     having access to the Department\xe2\x80\x99s systems have received\n                     applicable initial and continuing systems security awareness\n                     and training, even for minimum-essential cyber\n                     infrastructure, as required by OMB Circular No. A-130,\n                     Appendix III; and\n                   \xe2\x80\xa2 12 FAM 600 excludes contractors and the personnel of other\n                     agencies who have access to the Department\xe2\x80\x99s information\n                     systems from the mandatory refresher briefings conducted\n                     annually as required by OMB Circular No. A-130, Appendix\n                     III.\n                    Enhanced procedures would require bureaus and offices to cer-\n               tify to the CIO that all constituent units fully comply with appli-\n               cable requirements and have documentation supporting the certifi-\n               cations. The units could use existing documentation to support the\n               certifications that they meet all applicable awareness and training\n               requirements. Such documentation includes the Password Receipt and\n               Security Acknowledgement Form requiring users to certify they will com-\n               ply with all applicable security standards that could also require sys-\n               tems managers to certify users have actually completed applicable\n               security standards training.\n                    Addressing the issues described above will enhance the\n               Department\xe2\x80\x99s ability to fully comply with the cyber security aware-\n               ness and training requirements of the Computer Security Act of\n               1987, and relevant provisions of NIST, OPM, and NSTISSC poli-\n               cies. This requires developing and implementing better-organized\n               approaches to ensuring all employees receive the awareness and\n               training required by Federal laws, policies, regulations, programs,\n               and procedures.\n\n\n30   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\n                                 Recommendation 10: We recommend the Director General of\n                                 the Foreign Service and Director of Human Resources submit\n                                 language to the Bureau of Diplomatic Security amending 12 For-\n                                 eign Affairs Manual 600 to require that all job and work require-\n                                 ments statements include individual responsibilities for mini-\n                                 mum-essential cyber infrastructure security.\n\n\n                                 Recommendation 11: We recommend that the Director Gen-\n                                 eral of the Foreign Service and Director of Human Resources\n                                 submit language to the Bureau of Diplomatic Security amending\n                                 12 Foreign Affairs Manual 600 to require that all supervisors as-\n                                 sess the extent to which all employees accomplish their indi-\n                                 vidual roles and responsibilities for minimum-essential cyber in-\n                                 frastructure security.\n\n                                     Comments by the Director General of the Foreign Service\n                               and Director of Human Resources on Recommendations 10\n                               and 11: The Director General of the Foreign Service and Director\n                               of Human Resources stated that the Security Awareness and Ac-\n                               countability message contained in his ALDAC (State 203676, Octo-\n                               ber 21, 2000) addresses the concerns found in Recommendations\n                               10 and 11. Although the ALDAC does address the handling of\n                               classified documents and information by Foreign Service employ-\n                               ees, it does not specifically address the responsibilities of all Depart-\n                               ment employees for minimum-essential cyber infrastructure secu-\n                               rity.\n                                   The Director General also commented that the Bureau of Dip-\n                               lomatic Security is responsible for the 12 Foreign Affairs Manual.\n                               Therefore, we changed the wording of Recommendations 10 and\n                               11 to recommend the Director General submit appropriate lan-\n                               guage to the Bureau of Diplomatic Security to amend 12 Foreign\n                               Affairs Manual.\n\n                                 Recommendation 12: We recommend that the Bureau of Dip-\n                                 lomatic Security amend 12 Foreign Affairs Manual 600 to specify\n                                 how the Department will implement the Computer Security Act\n                                 of 1987, National Institute of Standards and Technology, U.S.\n                                 Office of Personnel Management, and National Security Tele-\n                                 communications and Information Systems Security Committee\n                                 requirements for individual and organizational cyber security\n                                 awareness, training, and accountability involving minimum-es-\n                                 sential automated information infrastructure security.\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                         31\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n                   Comments by the Bureau of Diplomatic Security: The Bu-\n               reau commented that the authorities noted by the OIG are cur-\n               rently referenced in 12 Foreign Affairs Manual 600 We agree the\n               authorities cited in Recommendation 12 are named in the manual,\n               but neither the manual nor any other document of which we are\n               aware specifies how the Department will implement those require-\n               ments of the authorities for individual and organizational cyber se-\n               curity awareness, training, and accountability involving minimum-\n               essential cyber infrastructure security.\n\n                Recommendation 13: We recommend that the Bureau of Dip-\n                lomatic Security amend 12 Foreign Affairs Manual 600 to require\n                that users be informed of, and acknowledge, their automated\n                information security responsibilities prior to being granted ac-\n                cess to Department systems.\n\n\n                   Comments by the Bureau of Diplomatic Security: The\n               Bureau concurred that 12 Foreign Affairs Manual 600 should ad-\n               dress the Department\xe2\x80\x99s need to protect itself by requiring users to\n               acknowledge their responsibilities prior to accessing its systems.\n               The Bureau said the requirement would be included in a future revi-\n               sion of the Manual.\n\n\n\n                Recommendation 14: We recommend the Bureau of Diplo-\n                matic Security publish criteria for role- and access-based auto-\n                mated information systems security training, and for testing us-\n                ers for minimum levels of understanding of the automated in-\n                formation systems security criteria that apply to their roles and\n                access levels. These Automated Information Systems Security\n                Training Guidelines should comply with 5 Code of Federal\n                Regulations Part 930, Subpart C, National Institute of Standards\n                and Technology Special Publication 800-16, National Security\n                Telecommunications and Information Systems Security Commit-\n                tee, and other applicable Federal Government directives and\n                standards.\n\n                  Comments by the Bureau of Diplomatic Security: The\n               Bureau concurred with Recommendation 14.\n\n\n\n\n32   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\n                                 Recommendation 15: We recommend the Bureau of Diplo-\n                                 matic Security amend 12 Foreign Affairs Manual 600 to require\n                                 that users demonstrate adequate understanding of their auto-\n                                 mated information systems security responsibilities, based on the\n                                 Department\xe2\x80\x99s Automated Information Systems Security Training\n                                 Guidelines, within 30 days of being granted access to systems,\n                                 and at least annually thereafter. This recommendation is based\n                                 on the assumption that the Bureau will complete the Guidelines\n                                 as it has agreed to do in Recommendation 14.\n\n                                   Comments by the Bureau of Diplomatic Security: The Bu-\n                               reau agreed with Recommendation 15.\n                                   Comments by the Bureau of Information Resource\n                               Management: The CIO suggested we consider removing this rec-\n                               ommendation unless we are more specific about how users would\n                               demonstrate adequate understanding of their responsibilities. As\n                               there is more than one way to achieve the recommendation, we be-\n                               lieve the Bureau of Diplomatic Security should make this decision\n                               based on its assessment of the available choices.\n\n                                  Recommendation 16: We recommend that the Bureau of Dip-\n                                 lomatic Security amend 12 Foreign Affairs Manual 600 to require\n                                 that users receive periodic and threat-specific continuing and\n                                 refresher security training for automated information systems.20\n\n\n                                   Comments by the Bureau of Diplomatic Security: The Bu-\n                               reau agreed with Recommendation 16, and stated that 12 Foreign\n                               Affairs Manual 600 will be amended to require that users receive\n                               periodic and threat-specific continuing and refresher security train-\n                               ing for automated information systems.\n\n\n\n\n                                   20\n                                       Although providing user security awareness training at posts is the responsi-\n                               bility of the Information System Security Officer, general security awareness train-\n                               ing is the responsibility of the Regional or Post Security Officers. However, with\n                               the agreement of their Information System and Regional Security Officers, posts\n                               may elect to incorporate user awareness training into general personnel security brief-\n                               ings.\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                                      33\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n\n                Recommendation 17: We recommend the Bureau of Diplo-\n                matic Security amend 12 Foreign Affairs Manual 600 to require\n                executive or principal officers of all posts, bureaus, and offices\n                to annually certify to the Chief Information Officer and the Bu-\n                reau of Diplomatic Security their compliance with the\n                Department\xe2\x80\x99s Automated Information Systems Security Training\n                Guidelines developed by the Bureau of Diplomatic Security.\n\n                    Comments by the Bureau of Diplomatic Security: The\n               Bureau agreed with Recommendation 17 on the basis that certifica-\n               tion can be a means of ensuring that documentation of user brief-\n               ings is accurately maintained at posts and other offices. Cyber secu-\n               rity assessments conducted by the Bureau and the OIG will mea-\n               sure the level of compliance. The Bureau also noted the posts\n               could use this process to identify training deficiencies and assist the\n               Bureau in establishing priorities for its training resources.\n\n\n\n\n34   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\nList of Recommendations\n\n                               Recommendation 1: We recommend the Assistant Secretary for\n                                 International Narcotics and Law Enforcement Affairs, acting as\n                                 the Foreign Affairs Functional Coordinator, seek to have the Na-\n                                 tional Security Council Policy Coordination Committee on\n                                 Counter-Terrorism and National Preparedness, which incorpo-\n                                 rates the Subgroup on International Cooperation of the NSC\n                                 Critical Infrastructure Coordination Group, expand its approach\n                                 to international critical infrastructure protection. This approach\n                                 should include:\n                                   \xe2\x80\xa2 coordinating the efforts of U.S. Government sector leaders to\n                                     provide critical infrastructure protection information and\n                                     assistance to a wide range of friendly countries requesting\n                                     such assistance,\n                                   \xe2\x80\xa2 focusing the efforts of U.S. Government sector leaders,\n                                     Department missions, trade and business groups, and\n                                     international organizations on actively promoting critical\n                                     infrastructure protection preventative measures,\n                                   \xe2\x80\xa2 encouraging multilateral cooperation, contingency planning,\n                                     and open exchange of public information with the widest\n                                     possible range of friendly countries and international\n                                     organizations,\n                                   \xe2\x80\xa2 supporting Department of State posts in engaging foreign\n                                     governments in joint efforts to prevent or otherwise solve\n                                     critical infrastructure protection problems, and\n                                   \xe2\x80\xa2 using the expertise and resources of the International\n                                     Information Programs Coordinator in developing and\n                                     implementing the Working Group\xe2\x80\x99s outreach efforts.\n\n                               Recommendation 2: We recommend the Assistant Secretary for\n                                 International Narcotics and Law Enforcement Affairs, acting as\n                                 the Foreign Affairs Functional Coordinator, work with U.S. Gov-\n                                 ernment and nongovernmental organizations to provide friendly\n                                 foreign governments with opportunities for obtaining cyber law\n                                 enforcement training and technical assistance.\n\n\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                     35\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n               Recommendation 3: We recommend the Assistant Secretary for\n                 International Narcotics and Law Enforcement Affairs, acting as\n                 the Foreign Affairs Functional Coordinator, work with the De-\n                 partment of Justice to identify and disseminate through posts\n                 more efficient and effective communications channels for pro-\n                 cessing foreign governments investigative assistance requests,\n                 and improved procedures for gaining more timely access to evi-\n                 dence, that foreign law enforcement entities can use to enhance\n                 their investigations of cyber crimes involving United States enti-\n                 ties and individuals.\n\n               Recommendation 4: We recommend the Chief Information Of-\n                 ficer and the Assistant Secretary for Diplomatic Security address\n                 the Department\xe2\x80\x99s foreign operations in subsequent critical infra-\n                 structure protection plans and vulnerability assessments to deter-\n                 mine what, if any, overseas minimum-essential cyber infrastruc-\n                 ture should be subject to vulnerability assessments. In doing so,\n                 Department officials should include representatives of other\n                 agencies having an overseas presence in developing the overseas\n                 portion of the plans, and conducting and assessing the overseas\n                 portion of the vulnerability assessments as appropriate.\n\n               Recommendation 5: We recommend the Bureau of Diplomatic\n                 Security schedule and conduct security controls evaluations of\n                 all minimum-essential cyber infrastructures at least once every 3\n                 years, and whenever there are significant changes to minimum-\n                 essential cyber infrastructure, both as required by OMB Circular\n                 No. A-130, Appendix III.\n\n               Recommendation 6: We recommend the Bureau of Diplomatic\n                 Security modify 12 Foreign Affairs Manual 600, and the Bureau\n                 of Information Resource Management amend the Critical Infra-\n                 structure Protection Plan, to require periodic security control\n                 evaluations of all minimum-essential cyber infrastructure at least\n                 once every 3 years.\n\n               Recommendation 7: We recommend the Chief Information Of-\n                 ficer and Bureau of Diplomatic Security ensure that subsequent\n                 critical infrastructure protection plans and vulnerability assess-\n                 ments address minimum-essential interagency infrastructure vul-\n                 nerabilities.\n\n\n\n\n36   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n                               Recommendation 8: We recommend the Assistant Secretary for\n                                 Diplomatic Security, Chief Information Officer, and the Direc-\n                                 tor of the Foreign Service Institute jointly develop and imple-\n                                 ment interagency critical infrastructure protection practices and\n                                 procedures training and exercises that meets the requirements of\n                                 Presidential Decision Directive 63.\n\n                               Recommendation 9: We recommend that the Bureau of Diplo-\n                                 matic Security amend 12 Foreign Affairs Manual 600 to require\n                                 that it be given the names of Information System Security Offic-\n                                 ers, and their alternates, in a timely manner, and that the Bureau\n                                 of Diplomatic Security ensure all designees have sufficient expe-\n                                 rience and training.\n\n                               Recommendation 10: We recommend the Director General of the\n                                 Foreign Service and Director of Human Resources submit lan-\n                                 guage to the Bureau of Diplomatic Security amending 12 For-\n                                 eign Affairs Manual 600 to require that all job and work require-\n                                 ments statements include individual responsibilities for mini-\n                                 mum-essential cyber infrastructure security.\n\n                               Recommendation 11: We recommend that the Director General\n                                 of the Foreign Service and Director of Human Resources sub-\n                                 mit language to the Bureau of Diplomatic Security amending 12\n                                 Foreign Affairs Manual 600 to require that all supervisors assess\n                                 the extent to which all employees accomplish their individual\n                                 roles and responsibilities for minimum-essential cyber infrastruc-\n                                 ture security.\n\n                               Recommendation 12: We recommend that the Bureau of Diplo-\n                                 matic Security amend 12 Foreign Affairs Manual 600 to specify\n                                 how the Department will implement the Computer Security Act\n                                 of 1987, National Institute of Standards and Technology, U.S.\n                                 Office of Personnel Management, and National Security Tele-\n                                 communications and Information Systems Security Committee\n                                 requirements for individual and organizational cyber security\n                                 awareness, training, and accountability involving minimum-es-\n                                 sential automated information infrastructure security.\n\n                               Recommendation 13: We recommend that the Bureau of Diplo-\n                                 matic Security amend 12 Foreign Affairs Manual 600 to require\n                                 that users be informed of, and acknowledge, their automated\n                                 information security responsibilities prior to being granted ac-\n                                 cess to Department systems.\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                     37\n\n\n                                  UNCLASSIFIED\n\x0c                   UNCLASSIFIED\n\n\n               Recommendation 14: We recommend the Bureau of Diplomatic\n                 Security publish criteria for role- and access-based automated\n                 information systems security training, and for testing users for\n                 minimum levels of understanding of the automated information\n                 systems security criteria that apply to their roles and access lev-\n                 els. These Automated Information Systems Security Training\n                 Guidelines should comply with 5 Code of Federal Regulations\n                 Part 930, Subpart C, National Institute of Standards and Tech-\n                 nology Special Publication 800-16, National Security Telecom-\n                 munications and Information Systems Security Committee, and\n                 other applicable Federal Government directives and standards.\n\n               Recommendation 15: We recommend the Bureau of Diplomatic\n                 Security amend 12 Foreign Affairs Manual 600 to require that\n                 users demonstrate adequate understanding of their automated\n                 information systems security responsibilities, based on the\n                 Department\xe2\x80\x99s Automated Information Systems Security Training\n                 Guidelines, within 30 days of being granted access to systems,\n                 and at least annually thereafter. This recommendation is based\n                 on the assumption that the Bureau will complete the Guidelines\n                 as it has agreed to do in Recommendation 14.\n\n               Recommendation 16: We recommend that the Bureau of Diplo-\n                 matic Security amend 12 Foreign Affairs Manual 600 to require\n                 that users receive periodic and threat-specific continuing and\n                 refresher security training for automated information systems.\n\n               Recommendation 17: We recommend the Bureau of Diplomatic\n                 Security amend 12 Foreign Affairs Manual 600 to require execu-\n                 tive or principal officers of all posts, bureaus, and offices to an-\n                 nually certify to the Chief Information Officer and the Bureau\n                 of Diplomatic Security their compliance with the Department\xe2\x80\x99s\n                 Automated Information Systems Security Training Guidelines\n                 developed by the Bureau of Diplomatic Security.\n\n\n\n\n38   OIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001\n\n\n                   UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\nA bbr\n  bbreeviations\n\n                     CIO       Chief Information Officer\n                     CIP       Critical Infrastructure Protection\n                    CIPP       Critical Infrastructure Protection Plan\n             Department        Department of State\n                  DGHR         Director General of the Foreign Service and Director of Human\n                               Resources\n                      DS       Bureau of Diplomatic Security\n                    FAM        Foreign Affairs Manual\n                     INL       International Narcotics and Law Enforcement Affairs\n                     IRM       Bureau of Information Resource Management\n                    OIG        Office of Inspector General\n                    OMB        Office of Management and Budget\n                    OPM        U.S. Office of Personnel Management\n                    NSC        National Security Council\n                    NIST       National Institute of Standards and Technology\n                NSTISSC        National Security Telecommunications and Information Systems\n                               Security Committee\n                 NTISSD        National Telecommunications and Information Systems Security\n                               Directive\n                NSTISSI        National Security Telecommunications and Information Systems\n                               Security Instructions\n                    PDD        Presidential Decision Directive\n\n\n\n\nOIG Report No. 01-IT-R-044, Critical Infrastructure Protection - June 2001                 39\n\n\n                                  UNCLASSIFIED\n\x0c'